Establishing a private network using multi-uplink capable network devices

ABSTRACT

Various implementations disclosed herein include systems, methods and apparatuses of a first device, that obtain contact point information of a second device associated with the first device, as a peer device in a private network, where the contact point information of the second device includes one or more peer uplink identifiers and each respective peer uplink identifier corresponds to a respective peer device uplink of the second device. The systems, methods and apparatuses establish a first private network data tunnel from a first uplink of the first device to the second device, using the contact point information of the second device, and a first uplink identifier associated with the first uplink, and establish a second private network data tunnel from a second uplink of the first device to the second device, using the contact point information of the second device, and a second uplink identifier associated with the second uplink.

RELATED APPLICATION

This application is a continuation of U.S. patent application Ser. No.17/193,571, filed on Mar. 5, 2021, which in turn, is a continuation ofU.S. patent application Ser. No. 17/176,779, filed on Feb. 16, 2021,which in turn, is a continuation of U.S. patent application Ser. No.17/110,484, filed on Dec. 3, 2020, which in turn, is a continuation ofU.S. patent application Ser. No. 15/984,243, filed on May 18, 2018, nowU.S. Pat. No. 10,917,926, which in turn, is a continuation applicationof U.S. patent application Ser. No. 14/974,331, filed on Dec. 18, 2015,now U.S. Pat. No. 9,980,303, the contents of which are incorporatedherein by reference in their entireties.

TECHNICAL FIELD

The present disclosure relates to communication networks, and inparticular, to the establishment of private network data tunnels betweennetworking devices.

BACKGROUND

As a business organization grows and spreads out to geographicallyseparated branch locations, the associated information technology (IT)network infrastructure often also changes. One aspect of changing ITnetwork infrastructure is the desire to establish and maintain a secureprivate network associated with the business organization that isdistributed geographically. In many cases, a private network betweenbranch locations is established over public networks. One example ofthis networking technique is site-to-site virtual private network (VPN)deployment. To set up and maintain these private networks, variousnetworking devices such as routers, switches and security appliances areutilized.

In recent years, various technology trends such as the migration ofcomputing resources to the cloud, and a rapid increase in mobile devicedata usage have contributed to an increase in private network trafficamong networking devices. Networking devices have traditionally beenlimited to only using one network connection to support establishment ofa private network, even if the networking device had multipleexternal-facing ports that could support other network connections.Although this technique offers simplicity, the limitation of using asingle network connection to establish a private network has resulted ina bandwidth constraint as the demand for networking resources increases.

BRIEF DESCRIPTION OF THE DRAWINGS

So that the present disclosure can be understood by those of ordinaryskill in the art, a more detailed description may be had by reference toaspects of some illustrative implementations, some of which are shown inthe accompanying drawings. The appended drawings, however, illustrateonly some example features of the present disclosure and are thereforenot to be considered limiting, for the description may admit to othereffective features.

FIG. 1 is a block diagram of a networking environment in accordance withsome implementations.

FIG. 2 is a block diagram illustrating the flow of messages amongentities of a networking environment in accordance with someimplementations.

FIG. 3A is a block diagram illustrating the establishment of datatunnels at a multi-uplink network device.

FIG. 3B is a block diagram illustrating the establishment of datatunnels between multi-uplink network devices.

FIG. 4A is an example of a contact point registry for multi-uplinknetwork devices in accordance with some implementations.

FIG. 4B is an example of a local multi-uplink peer contact point tablein accordance with some implementations.

FIG. 5 is a flowchart representation of a method of establishing privatenetwork data tunnels between multi-uplink network devices in accordancewith some implementations.

FIG. 6 is a flowchart representation of a method of establishing privatenetwork data tunnels between multi-uplink network devices in accordancewith some implementations.

FIG. 7 is a flowchart representation of a method of retrieving contactpoint information for multi-uplink network devices, at a contact pointnetwork entity in accordance with some implementations.

FIG. 8 is a flowchart representation of a method of retrieving contactpoint information for multi-uplink network devices, at a contact pointnetwork entity in accordance with some implementations.

FIG. 9 is a block diagram of an example multi-uplink network device of anetworking environment in accordance with some implementations.

FIG. 10 is a block diagram of an example contact point network entity ofa networking environment in accordance with some implementations.

In accordance with common practice the various features illustrated inthe drawings may not be drawn to scale. Accordingly, the dimensions ofthe various features may be arbitrarily expanded or reduced for clarity.In addition, some of the drawings may not depict all of the componentsof a given system, method or device. Finally, like reference numeralsmay be used to denote like features throughout the specification andfigures.

DESCRIPTION

Numerous details are described in order to provide a thoroughunderstanding of the example implementations shown in the drawings.However, the drawings merely show some example aspects of the presentdisclosure and are therefore not to be considered limiting. Those ofordinary skill in the art will appreciate that other effective aspectsand/or variants do not include all of the specific details describedherein. Moreover, well-known systems, methods, components, devices andcircuits have not been described in exhaustive detail so as not toobscure more pertinent aspects of the example implementations describedherein.

Overview

Previous solutions to the problem of supporting a private network amongnetwork devices actively using a single uplink, fail to provide systemsor processes that support the establishment of a private network amongmulti-uplink networking devices. By contrast, and to that end, variousimplementations disclosed herein include systems, methods andapparatuses that involve a first network device using uplink identifiersto identify respective uplinks involved in the establishment of datatunnels to other network devices. For example, in some implementations,a method includes obtaining contact point information of a second deviceassociated with the first device, as a peer device in a private network,where the contact point information of the second device includes one ormore peer uplink identifiers and each respective peer uplink identifiercorresponds to a respective peer device uplink of the second device. Themethod includes establishing a first private network data tunnel from afirst uplink of the first device to the second device, using the contactpoint information of the second device, and a first uplink identifierassociated with the first uplink. The method also includes establishinga second private network data tunnel from a second uplink of the firstdevice to the second device, using the contact point information of thesecond device, and a second uplink identifier associated with the seconduplink.

Various implementations disclosed herein include systems, methods andapparatuses that share and maintain addressing information fornetworking devices of a given network, at a network entity. For example,in some implementations, a method includes receiving a first registryrequest message from a first uplink of a first device having two or moreuplinks, where each respective uplink is associated with a respectiveuplink identifier, and the first registry request message includes afirst portion and a second portion, where the first portion ischaracterized by a first write privilege and the second portion ischaracterized by a second write privilege different from the first writeprivilege. The method also includes obtaining first peer contact pointinformation corresponding to one or more peer device uplinks of one ormore respective peer devices of the first device, and generating a firstresponse message including the first peer contact point information.

Multi-uplink network devices capable of supporting private networkingover two or more uplinks create at least two major challenges toaddress. First, any respective multi-uplink network device of a networkprefers to be able to establish and use private network data tunnelswith other network devices by properly addressing the various uplinkconnections involved. Second, multi-uplink network devices of a networkprefer to convey and obtain addressing information corresponding to eachand every uplink configured to establish private network data tunnels.

FIG. 1 is a block diagram of a networking environment 100 in accordancewith some implementations. While pertinent features are shown, those ofordinary skill in the art will appreciate from the present disclosurethat various other features have not been illustrated for the sake ofbrevity and so as not to obscure more pertinent aspects of the exampleimplementations disclosed herein. To that end, as a non-limitingexample, networking environment 100 includes a public/external network120 (e.g., a portion of the Internet), one or more third-partydestinations 130, a cloud hosted network management system 110, acontact point network entity 160, an optional network addresstranslation device (NAT) 153, optional Internet service provider (ISP)nodes 140 a and 140 b, optional multiprotocol label switching (MPLS)nodes 175 a and 175 b, network device A 151 having Table A 152 andnetwork device B 154 having Table B 155, and local area networks LAN A150 and LAN B 156. In some implementations, MPLS nodes 175 a and 175 bare ISP nodes similar to ISP nodes 140 a and 140 b. In some embodiments,MPLS node 175 a is the same as ISP node 140 a, and/or MPLS node 175 b isthe same as ISP node 140 b (e.g., the same Internet service providersupplies each connection).

Moreover, while FIG. 1 includes only two LANs (e.g., LAN A 150 and LAN B156), those of ordinary skill in the art will appreciate that in someimplementations, a private network is associated with an arbitrarynumber of geographically distributed and/or collocated local areanetworks. Similarly, while FIG. 1 illustrates two example networkdevices (e.g., Device A 151 and Device B 154), in some implementations aprivate network includes more than two network devices.

In various implementations, LANs (e.g., LAN A 150 and/or LAN B 154)include additional infrastructure not shown in FIG. 1 , such as agateway node, and/or a network root node. In some implementations, LANsare associated with a number of compliant networking devices, and/or anumber of non-compliant networking devices, where compliant devices areconfigured to communicate particular information with the cloud hostednetwork management system 110. For example, compliant devices areconfigured to share status information, configuration information and/ornetwork traffic information with the cloud hosted network managementsystem 110 and/or other compliant devices. In some implementations, anumber of client devices 157 are operating within a respective LAN.

The network devices shown in FIG. 1 , Device A 151 and Device B 154 arecapable of establishing private network tunnels (e.g., VPN data tunnels)simultaneously using two or more uplinks. In some embodiments, at leastone uplink for a respective network device uses a public networkconnection and at least one uplink for a respective network device usesa higher-quality connection. For example, Device A 151 uses Uplink 0 170to connect to public/external network 120 using a low-cost and lowerquality link provided by ISP 140 a, and Uplink 1 171 to connect to ahigher-quality MPLS link 175 a. Unlike network devices utilizing a “hotstandby” or backup uplink, Device A 151 uses at least two uplinks on anactive basis during normal operation. The multi-uplink network devicesshown in FIG. 1 each show two active uplinks, however those of ordinaryskill in the art will appreciate from the present disclosure that insome embodiments, the multi-uplink devices disclosed herein utilize morethan two simultaneously active uplinks. Furthermore, while themulti-uplink network devices shown in FIG. 1 show the use of Internetand MPLS uplinks, those of ordinary skill in the art will appreciatefrom the present disclosure that in some embodiments, the uplinkconnections include other technologies, including satellite servicessuch as very small aperture terminal (VSAT) links.

In some embodiments, network devices with this multi-uplink capabilityselectively route network traffic over data tunnels established betweennetwork devices, for various reasons. For example, one reason is toreduce bandwidth-related costs associated with the use of high-qualitynetwork connections, such as MPLS, which can be supplemented with alower-cost network connection, such as an Internet connection. In someembodiments, multi-uplink network devices selectively route networktraffic over data tunnels, to isolate sensitive data and ensure there isadequate bandwidth for high priority activities such as transferringpayment information. For example, a multi-uplink networking device canroute credit card transaction information through a tunnel using itsMPLS uplink, and route web-surfing traffic through a tunnel using itsInternet uplink.

The one or more third-party destinations 130 provide various third-partycontent and services, such as email, media content, online banking,social networking servers, etc. Other than providing sources and/ordestinations for client data traffic, the details of the one or morethird-party destinations 130 are not particularly pertinent to the scopeof the present disclosure. As such, no further details pertaining to theone or more third-party destinations 130 are provided for the sake ofbrevity.

FIG. 1 further illustrates that Device A 151 connects LANA 150 to thepublic network 120 through an optional ISP node 140 a, and in someembodiments, includes features such as a firewall. In someimplementations, a network device such as Device A 151 is provided as asingle entity (e.g., a router, a virtual machine, etc.). In someimplementations, a network device such as Device A 151 includes adistributed system including a suitable combination of software, datastructures, virtual machines, computing devices, servers, switches androuters. Merely for the sake of brevity and convenience of explanation,network devices are described herein as single entities.

In some implementations, network devices, such as Device A 151 and/orDevice B 154, include routers and/or provide routing functionality. Insome implementations, a network device operates in connection with othernetworking appliances such as NAT devices (e.g., NAT 153), while in someimplementations at least some of the functionality of one or more otherappliances is built into the network devices. In some embodiments,network devices are capable of filtering network traffic to and fromclient devices 157, and optionally performing this filtering on thebasis of Layer 7 (of the OSI model) packet information. In someimplementations, network devices such as Device A 151 and/or Device B154, are used to establish private networks (e.g., virtual privatenetworks or VPNs) between themselves. In some of these implementations,some or all network traffic from client devices 157 can be routedthrough a network device over a private network. For example, Device A151 is configured to allow VPN traffic from client device 157 a to gothrough a VPN data tunnel established with Device B 154, destined foranother client device on LAN B 156. In this same example, Device A 151allows network traffic from client devices 157 destined for a 3^(rd)party destination 130 to travel over the public/external network 120.

The networking environment 100 includes a contact point network entity160 configured to maintain, obtain and/or report addressing informationfor networking devices, such as Device A 151 and/or Device B 154. Insome embodiments, contact point network entity 160 is a part of cloudhosted management server 110. In some implementations, contact pointnetwork entity 160 and cloud hosted management server 110 reside on asingle network entity, such as a group of servers, a single servermachine or portions of several servers that are not dedicated to theseservices.

Contact point network entity 160 includes a contact point registry 161for storing contact point information of network devices, a contactpoint server 162, and in some implementations, a gateway deviceproviding access to public network 120 for contact point network entity160. Contact point network entity 160 includes addressing informationfor one or more multi-uplink routers of networking environment 100.

The addressing information stored at contact point network entity 160comprises various elements. For example, such addressing informationincludes uplink identifiers, Internet Protocol (IP) addresses, portnumbers, device identifiers, device serial numbers, user-selected devicenames, geographic location data, client identification (e.g., ABC CoffeeShops or client 2395), and/or device connectivity information. In someimplementations, the addressing information stored at contact pointnetwork entity 160 includes private addressing information and publicaddressing information. For example, Uplink 0 172 of network device B154 operates behind NAT 153, and consequently has a public IP addressand public port number that are both accessible and visible from publicnetwork 120, and a private IP address and private port number. In someimplementations, a set of addressing information for a respective deviceor for a respective uplink of a multi-uplink device is referred to ascontact point information. For example, contact point network entity 160has contact point information corresponding to Uplink 0 170 of Device A151, such as a private IP address, a private port number, a public IPaddress, a public port number, an uplink identifier and a deviceidentifier.

In some embodiments, contact point information is indexed in the contactpoint registry 161, on the basis of network devices, and sub-indexed byuplinks of respective network devices (e.g., using device and uplinkidentifiers). In some embodiments, a subset of a respective uplink'scontact point information is referred to as public contact pointinformation and another subset of the uplink's contact point informationis referred to as private contact point information. For example, theprivate IP address and private port number associated with Uplink 1 173of Device B 154, is included in the private contact point information ofthat specific uplink of that specific device. In some implementations,an uplink of a networking device only has private contact pointinformation or public contact point information, or both sets of contactpoint information are the same. For example, Uplink 1 171 of Device A151 is not associated with a NAT device, so it is only associated withone IP address and one port number.

FIG. 1 illustrates that Device A 151 includes a local peer contact pointtable, Table A 152. In some embodiments, one or more networking devicesof a private network have a local peer contact point table containingsome or all of a the contact point information stored at contact pointregistry 161. In some embodiments, a local peer contact point table hascontact point information for peer network devices (includingmulti-uplink network devices) of a respective network device. In someembodiments, peer network devices of a respective network device arenetwork devices with which the respective network device shares acommunication path or data tunnel. For example, Table A 152 of Device A151 has a private IP address and private port number and public IPaddress and public port number corresponding to Uplink 0 172 of Device B154, and similarly for Uplink 1 173 of Device B 154, a peer device toDevice A 151.

Client devices 157 generally include any suitable computing device, suchas a computer, a laptop computer, a tablet device, a netbook, aninternet kiosk, a personal digital assistant, a mobile phone, asmartphone, a wearable, a gaming device, a computer server, etc. In someimplementations, each client device (e.g., laptop 157 a, workstation 157b, smartphone 157 c, etc.) includes one or more processors, one or moretypes of memory, a display and/or other user interface components suchas a keyboard, a touch screen display, a mouse, a track-pad, a digitalcamera and/or any number of supplemental devices to add functionality.In some implementations, a client device includes a suitable combinationof hardware, software and firmware configured to provide at least someof protocol processing, modulation, demodulation, data buffering, powercontrol, routing, switching, clock recovery, amplification, decoding,and error control.

The cloud hosted network management system 110 is configured to managethe configuration and operation of compliant devices in a LAN and/oracross geographically distributed portions of a VLAN. To that end, thecloud hosted network management system 110 includes a configurationdatabase 111 for storing configuration information of compliant devices,a cloud hosted management server 112, and in some implementations, agateway device. In some embodiments, compliant devices are configured tocommunicate particular information with the cloud hosted networkmanagement system 110. For example, compliant devices are configured toshare status information, configuration information and/or networktraffic information with the cloud hosted network management system 110and/or other compliant devices. In some embodiments, the networkdevices, Device A 151 and Device B 154, of FIG. 1 are compliant devices.

In some implementations, a gateway device (not shown) connects the cloudhosted management server 112 to the public network 120 so that the cloudhosted management server 112 is able to communicate with one or moreLANs and/or geographically distributed portions of a VLAN, andoptionally includes features such as a firewall. In someimplementations, a gateway device is provided as a single entity (e.g.,a server, a virtual machine, etc.). In some implementations, a gatewaydevice includes a distributed system including a suitable combination ofsoftware, data structures, virtual machines, computing devices, servers,switches and routers. Merely for the sake of brevity and convenience ofexplanation, the optional gateway device is described herein as a singleentity.

FIG. 1 illustrates the use of ISP node 140 a to link LAN A 150 to thepublic network 120 using Uplink 0 170, and the use of ISP node 140 b tolink LAN B 156 to the public network 120 using Uplink 0 172. In someembodiments an ISP node is not required to link a local area network toa public network. In various implementations, ISP nodes 140 a and/or 140b are each provided as a single entity (e.g., a server, a virtualmachine, etc.). In some implementations, ISP node 140 a and/or 140 b areeach implemented as a distributed system including a suitablecombination of software, data structures, virtual machines, computingdevices, servers, switches and routers. For the sake of brevity andconvenience of explanation, the ISP nodes 140 a and 140 b are eachdescribed herein as a single entity.

FIG. 2 is a block diagram illustrating the flow of messages amongentities of a networking environment 200 in accordance with someimplementations. For the sake of brevity and convenience of explanation,some elements from networking environment 100, described with respect toFIG. 1 , have been removed from FIG. 2 , however those of ordinary skillin the art will appreciate from the present disclosure that in someembodiments, these elements exist in networking environment 200, andfunction as described earlier. Networking environment 200 illustratesone example network device, Device B 154, communicating with the contactpoint network entity 160, however those of ordinary skill in the artwill appreciate from the present disclosure that in some embodiments, atany given point in time, contact point network entity 160 is incommunication with several other network devices, optionally includingnetwork devices not associated with networking environment 200 ornetworking environment 100. In some embodiments, an uplink of a networkdevice is in direct communication with contact point network entity 160,as exhibited by Uplink 1 173 of Device B 154, while in some embodiments,an uplink of a network device has a NAT device (e.g., NAT 153) in thepath of communication with contact point network entity 160, as is thecase for Uplink 0 172 of Device B 154, in FIG. 2 . In someimplementations a NAT device provides a firewall for network trafficgoing to or from a network device.

In the example shown in FIG. 2 , multi-uplink network device B 154generates special communications called registry request messages suchas RRM 163, and conveys these registry request messages from itsrespective uplinks to the contact point network entity 160. In someimplementations a respective network device transmits registry requestmessages to the contact point network entity 160. For example,transmission of a registry request message is also referred to as a“push” activity by the network device. In some implementations registryrequest messages are retrieved from network devices, by contact pointnetwork entity 160. For example, retrieval of a registry request messageis also referred to as a “pull” activity by contact point network entity160. Regardless of the particular mechanism, in various implementationsa registry request message corresponding to a particular uplink of anetwork device arrives at the contact point network entity 160 on aperiodic basis (e.g., every 10 seconds). In some implementations, thefrequency with which these uplink-specific registry request messages arereceived is analyzed by contact point network entity 160. For example, alonger than average receipt time indicates a problem with thecorresponding uplink of the network device. In some implementations, notreceiving any registry request messages associated with any uplink of anetwork device is interpreted by contact point network entity 160 tomean that the entire network device is offline.

In some embodiments, an uplink-specific registry request message has afirst portion and a second portion of the message, such as a header anda payload. In some implementations, the first portion is characterizedas having a first write privilege, and the second portion ischaracterized as having a second write privilege. For example, the firstportion of the registry request message permits information to bedeleted, supplemented and/or modified, while the second portion of theregistry request message includes information that is read-only, andtherefore information cannot be supplemented, deleted or modified.However, in some implementations the first portion and the secondportion of the registry request message have the same read and/or writeprivileges. In some implementations, generating the registry requestmessage includes the multi-uplink network device writing the IP address,port number, uplink identifier and/or any other addressing informationcorresponding to a respective uplink to one or more portions of theregistry request message.

FIG. 2 also illustrates an example of how a NAT device such as NAT 153,intercepts uplink-specific registry request messages traveling from anetwork device to contact point network entity 160. For example, DeviceB generates uplink-specific registry request message RRM 165 aassociated with Uplink 0 172, which is intercepted by NAT 153 en routeto contact point network entity 160. In this same example, RRM 165 brepresents the same registry request message generated by Device B 154and associated with Uplink 0 172, after passing through NAT 153. In someimplementations a NAT intercepts and modifies at least a portion of aregistry request message, creating a modified registry request messagefor contact point network entity 160. For example, an uplink-specificregistry request message such as RRM 165 a has a header portion and apayload portion (e.g., a first portion and a second portion), and NAT153 rewrites or adds addressing information to the header of theregistry request message RRM 165 a. In some embodiments, a NAT deviceprovides the public contact point information, such as public IP addressand public port number used to access a respective uplink of aparticular network device, and the NAT device writes this public contactpoint information to a portion of an uplink-specific registry requestmessage passing through it.

In some implementations, an uplink-specific registry request messageselectively includes one or more additional components. For example, onecomponent is contact point information of the network device thatgenerated the registry request message and the uplink associated withit. Another example of a component is a request for uplink-specificcontact point information of one or more peer devices of the networkdevice that generated the registry request message. In someimplementations a request for contact point information includes deviceidentifiers and/or uplink identifiers for the one or more peer devices.

In some implementations, a respective network device acquires thesedevice identifiers and/or uplink identifiers when it receivesconfiguration information from an external source such as cloud hostedmanagement system 110 (FIG. 1 ). In some implementations, there is aunique uplink identifier to identify a respective uplink out of all thenetworking devices in a given networking environment. In someimplementations a respective network device (e.g., Device B 154)receives configuration information on a periodic basis, or when a changein configuration is performed. In some of these implementations,contents of the local peer contact point information table (e.g., TableB 155) are modified to add entries for new peer devices or deleteentries for removed peer devices.

Contact point network entity 160, is shown to have generated responsemessages, namely response message 164 to Uplink 1 173 of Device B 154and response message 166 to Uplink 0 172 of Device B 154. In someimplementations, a respective response message corresponds to arespective uplink-specific registry request message. For example,response message 164 en route to Uplink 0 172, is generated by contactpoint network entity 160 in response to receiving uplink-specificregistry request message 163. In some embodiments, a response messageincludes requested contact point information for peer devices of therequesting network device and/or the requesting uplink of the requestingnetwork device. As shown in FIG. 2 , in some embodiments a responsemessage such as response message 166 passes through a NAT device such asNAT 153, located between contact point network entity 160 and arespective uplink of a network device such as Uplink 0 172 of Device B154. In some implementations, a NAT device modifies a response messagepassing through to a respective uplink of a network device. For example,NAT 153 writes its own IP address and port number (e.g., a public IPaddress and public port number) to a portion of response message 166that has write privileges, so that Device B 154 can determine thatUplink 0 172 is located behind NAT 153 by reading the modified responsemessage.

FIG. 3A is a block diagram 300 illustrating the establishment of datatunnels at a multi-uplink network device. In FIG. 3A, examplemulti-uplink network device A 151 has two uplinks, Uplink 0 170 andUplink 1 171, configured to establish private network data tunnels(e.g., VPN tunnels) with another network device. In the example shown inFIG. 3A, a multi-uplink network device has two active uplinks forestablishing data tunnels, however those of ordinary skill in the artwill appreciate from the present disclosure that in some embodiments, amulti-uplink network device has more than two active uplinks forestablishing data tunnels. In some embodiments, a respective uplink isassociated with a respective port of a network device. For example, port0 302 of Device A 151 is associated with Uplink 0 170, and port 1 304 isassociated with Uplink 1 171. In some embodiments, a respective uplinkof a network device can be swapped to a new or different port, orreplaced with a new uplink. For example, if the IT budget of a branchoffice increases, it is able to upgrade an Internet uplink by replacingit with an MPLS uplink.

In some embodiments, a multi-uplink network device establishes one ormore data tunnels to a network device with only one uplink configured toestablish and actively use private network data tunnels. For example,FIG. 3A illustrates two data tunnels associated with Device A 151, eachtunnel having one end associated with one uplink and/or port of Device B154. In this example, Device B 154 has a port 0 306 associated withUplink 0 172, and another port 1 308 not associated with an uplink. Insome implementations, this arrangement of established data tunnelsindicates that Device B is only programmed to allow private network(e.g., VPN) traffic over one uplink. In some implementations, thisarrangement of established data tunnels is indicative that Device B onlyhas one uplink, or that it is a multi-uplink network device with one ormore uplinks that have gone offline. This example illustrates thatmulti-uplink network devices are configured to use more than one uplink,and in particular, that they are configured to simultaneously use morethan one uplink to establish a private network data tunnel. In someembodiments, a multi-uplink network device is referred to as an“active-active” network device, because it has at least two uplinks thatactively allow for establishing and using private network data tunnelsat the same time.

FIG. 3B is a block diagram 350 illustrating the establishment of datatunnels between multi-uplink network devices. In the example of FIG. 3B,Device B 154 is a multi-uplink network device configured to establishand use private network data tunnels over at least two uplinks,including Uplink 1 173 associated with port 1 308. Here, it can be seenthat Device A 151 is now able to establish and/or use four possibleprivate network data tunnels to communicate with Device B 154, whereeach uplink of Device A 151 is associated with two distinct data tunnelsrespectively associated with the two uplinks of Device B 154.

In some embodiments, establishing a respective data tunnel betweenDevice A 51 and Device B 154 includes having knowledge of specificaddressing information corresponding to each respective uplink and/orport associated with the data tunnel. For example, if Device A 151 isthe multi-uplink networking device initiating establishment of a datatunnel, it must obtain contact point information corresponding to Uplink0 172 and Uplink 1 173 of Device B 154. In some embodiments, Device A151 obtains this uplink-specific contact point information from itslocal peer contact point table A 152. In some embodiments, Device A 151obtains this uplink-specific contact point information from anothersource, such as contact point network entity 160 shown in FIG. 2 .

In some embodiments, in order to establish a respective data tunnel,after Device A 151 obtains contact point information for the uplinks ofDevice B 154, it creates a packet or set of packets to send over one itsown uplinks, such as Uplink 0 170 to a particular port of Device B 154associated with a particular uplink, such as Port 1 308 associated withUplink 1 173. In some implementations, these are referred to as “Hello”packets or test packets, and are sent periodically to keep a tunnelbetween two devices active. In some implementations, this packet or setof packets has addressing information corresponding to Uplink 0 170,such as an uplink identifier, and also contains the obtained contactpoint information corresponding to Port 1 308 and/or Uplink 1 173,including a peer device uplink identifier for Uplink 1 173. In someembodiments, if Device A 151 does not have current or accurate contactpoint information for Uplink 1 173 of Device B 154, the packet or set ofpackets will be dropped and device A 151 will reattempt to obtain thecontact point information for Uplink 1 173 and reattempt to establishthe data tunnel. In some implementations, Device B 154 generates andsends an acknowledgment packet back to Uplink 0 170 of Device A 151 overUplink 1 173.

FIG. 4A is a table 400 representing the contents of a contact pointregistry in accordance with some implementations. Table 400 includescolumns 402, 404, 406, 408, 410, 412 and 414, and entries 416, 418, 420,422, 424, 426, 428, 430, and 432. Within table 400, column 402 storesone or more device identifiers for each respective network device. Inthis example distinct alphanumeric characters are used to identifyrespective network devices, however those of ordinary skill in the artwill appreciate from the present disclosure that in some embodiments,this is not a limiting example of unique identifiers of network devicesof a given network (or private network). In some implementations, morethan one identifier is stored for a respective network device (e.g., auser-selected name and a unique system-generated number). In someimplementations, a network device has an identifier that is unique amongall compliant network devices in existence, even beyond the givennetwork.

Column 404 stores uplink identifiers for respective uplinks of eachnetwork device. In some implementations, respective uplink identifiersare unique for a respective network device, as shown in table 400. Inthis example distinct alphanumeric characters are used to identifyrespective uplinks, however those of ordinary skill in the art willappreciate from the present disclosure that in some embodiments, this isnot a limiting example of unique identifiers of uplinks of a givennetwork device. In some implementations, an uplink for a respectivenetwork device has an identifier that is unique amongst all uplinks ofnetwork devices in existence, even beyond the given network. Column 406stores information about the type of connection associated with arespective uplink. For example, entry 430 shows that Uplink 0 of DeviceD is an MPLS connection.

Column 408 illustrates an example of how private contact pointinformation can be stored. In some implementations, private contactpoint information associated with a respective uplink of a respectivenetwork device includes a pair of a private IP address and a privateport number. For example, entry 416 shows that the private contact pointinformation of Uplink 0 of Device A includes the private IP address10.0.10.0 and private port number of 50234. Column 410 illustrates anexample of stored public contact point information. In some embodiments,public contact point information associated with a respective networkdevice includes a pair of a public IP address and a public port number.In some implementations, the private contact point information andpublic contact point information for a respective device are the same.For example, Uplink 0 of Device A in entry 416 has the same IP addressand port number for both since there is no intermediate NAT devicebetween Uplink 0 of Device A and the contact point network entity, asshown in FIG. 1 .

In some implementations, the contact point registry has a column 412 forstoring the peer devices of a respective network device. For example, inentry 420, associated with Device A, it is shown that Device B andDevice C are peers of Device A. In some implementations, the peerdevices of a respective network device are determined from one or morereceived uplink-specific registry request messages from the respectivenetwork device. In some implementations, table 400 includes a columncorresponding to peer device uplinks instead of, or in addition tocolumn 412. In some implementations, a respective uplink of amulti-uplink network device is configured to establish data tunnels withspecific uplinks of another multi-uplink network device. In theseimplementations the contact point registry includes information aboutpeer device uplinks for a respective uplink in table 400.

Entry 432 corresponding to Uplink 1 of Device D has empty fields forprivate contact point information and public contact point information.In some embodiments, empty contact point information indicates that therespective uplink of a respective network device is offline orexhibiting a communication problem with the contact point networkentity.

In some implementations, information such as the information shown incolumn 414 is included in the contact point registry, to indicate thenature of a respective network device in a particular network topology.For example, the network that includes Device A, Device B, Device C andDevice D, has a hub and spoke topology, where one or more networkdevices is a “hub” device typically connected to at least two othernetwork devices, and one or more network devices is a “spoke” devicetypically only connected to one other network device. Alternativetopologies may be implemented for a given network, and as such, thecontact point registry may include information for each respectivenetwork device, for those alternative topologies. The columns andinformation shown in FIG. 3A are merely examples of the type ofinformation found in a contact point registry, however those of ordinaryskill in the art will appreciate from the present disclosure that insome embodiments, the contact point registry includes additionalinformation (e.g., status information, or time since last registryrequest message received), or less information than shown.

FIG. 4B is an example of a local peer contact point table 450 inaccordance with some implementations. Table 450 includes columns 452,454, 456, 458, 460 and 462, and entries 464, 466, 468, and 470. Forexample, local peer contact point table 450 is stored at Device A 151,in FIG. 1 . In some implementations, table 450 includes a subset of theinformation in the contact point registry, while in some implementationstable 450 includes additional information (e.g., status column 462). Theexample in FIG. 4B shows that Device A has two peer multi-uplinkdevices, Device B and Device C. In this example, private contact pointinformation 458 is stored for each peer device uplink, including aprivate IP address and private port number for each respective uplink ofeach respective peer network device. Additionally, peer device publiccontact point information 460 is stored, and in this case that includesstoring a public IP address and public port number for each respectivepeer device uplink. Table 450 also includes a status column 462, tostore an indicator of whether or not a respective uplink of a respectivepeer network device is online or offline. For example, entry 468corresponding to Uplink 0 of Device C indicates that this uplink isoffline, while entry 470 corresponding to Uplink 1 of Device C indicatesthat this uplink is online.

FIG. 5 is a flowchart representation of a method 500 of establishingprivate network data tunnels from a first network device in accordancewith some implementations. For the sake of additional clarity anddetail, the method 500 is described with reference to FIG. 1 , FIG. 2 ,FIGS. 3A and 3B, and FIGS. 4A and 4B. In some implementations, method500 is performed at a multi-uplink network device, such as Device A 151or Device B 154, in FIG. 1 . In some implementations, method 500 isperformed at a device operating as a router and/or as a gateway node. Insome implementations, method 500 is performed by one or more devices incommunication with each other through a private network, such as a VPN.

Method 500 includes a first multi-uplink network device obtaining (502)contact point information of a second network device. In someembodiments, the second network device is also a multi-uplink networkdevice, and its contact point information includes contact pointinformation for each of its respective uplinks. In some embodiments, theobtained contact point information of the second network device includesone or more peer uplink identifiers, where each respective peer uplinkidentifier corresponds to an uplink of the second network device.

In some embodiments, the first multi-uplink network device obtains thecontact point information of the second network device by retrieving itfrom its own local storage. FIG. 2 , as described earlier, illustratesan example of a technique for a respective multi-uplink network deviceto obtain the most recent contact point information of one or more peerdevices, if it does not already have current contact point informationin its own local storage. For example, in FIG. 2 , Device B 154generates one or more uplink-specific registry request messages withrequested contact point information, each message associated with arespective uplink. In this example, registry request message 163 isassociated with Uplink 1 173, an MPLS connection. The example in FIG. 2further illustrates receipt of registry request message 163 by thecontact point network entity 160, generation of response message 164,and eventual receipt of response message 164 at Device B 154 with therequested contact point information of one or more peer network devices.

Method 500 includes the first multi-uplink network device establishing(504) a first private network data tunnel from a first uplink of thenetwork device to the second network device. For example, as shown inFIG. 3A, Device A 151 established a private network data tunnelassociated with its own Uplink 0 170, and Uplink 0 172 of Device B 154.In some implementations, establishment of a respective private networkdata tunnel includes using an uplink identifier to identify therespective uplink of the first network device and the obtained contactpoint information of the second network device. FIG. 5 shows that method500 continues with the network device establishing (506) a secondprivate network data tunnel from a second uplink of the network deviceto the second network device. The example in FIG. 3A also shows a secondprivate network data tunnel established between Device A 151 and DeviceB 154, associated with Uplink 1 171 and Uplink 0 172 of Device B. Theexamples in FIG. 3A and FIG. 3B illustrate that one respective uplink ofa respective network device can be associated with a plurality of datatunnels.

In some implementations, the first multi-uplink network device creates apacket or set of packets to send over a first uplink of its own uplinks,to a particular port of the second network device associated with aparticular peer device uplink, as a part of establishing a privatenetwork data tunnel. In some implementations, this packet or set ofpackets has addressing information that includes an uplink identifier ofthe first uplink of the first multi-uplink network device, and alsocontains the obtained contact point information corresponding to thesecond network device. In some embodiments, if the first multi-uplinknetwork device does not have current or accurate contact pointinformation for the peer device uplink of the second network device, thepacket or set of packets will be dropped and the first multi-uplinknetwork device will reattempt to obtain the contact point informationfor the peer device uplink and reattempt to establish the data tunnel.In some implementations, the second network device generates and sendsan acknowledgment packet back to the first uplink of the firstmulti-uplink network device. In some implementations, establishing aprivate network data tunnel includes using a “hole-punching” protocol.

FIG. 6 is a flowchart representation of a method 600 of establishingprivate network data tunnels between multi-uplink network devices inaccordance with some implementations. In some implementations, method600 is an extension or a more detailed process for performing some orall of the activities of method 500 described earlier. As such, for thesake of efficiency, reference is made, when appropriate, tocorresponding activities in method 500. For the sake of additionalclarity and detail, the method 600 is described with reference to FIG. 1, FIG. 2 , FIG. 3A, FIG. 3B, FIG. 4A and FIG. 4B. In someimplementations, method 600 is performed at a multi-uplink networkdevice, such as Device A 151 or Device B 154, in FIG. 1 . In someimplementations, method 600 is performed at a device operating as arouter and/or as a gateway node. In some implementations, method 600 isperformed by one or more devices in communication with each otherthrough a private network, such as a VPN.

As described above with respect to method 500, method 600 includes amulti-uplink network device obtaining (602) contact point informationcorresponding to a second network device, from a shared contact pointnetwork entity. Furthermore, the method 600 includes the network devicedetermining (604) a first connection type associated with a first peerdevice uplink of the second device, and a second connection typeassociated with a second peer device uplink of the second device. Forexample, FIG. 4B illustrates an example local peer contact point tablethat a network device uses to obtain contact point information of itspeer devices. In this example, if Device B is the second device, columns454 and 456 indicate that both of Device B's uplinks are Internetconnections. In some implementations, this determination of theconnection or uplink types of the second network device is included inthe establishment of one or more private network data tunnels. Forexample, Device A is configured with a policy to only establish privatenetwork data tunnels with its MPLS uplink to MPLS peer device uplinks.

As described above with respect to method 500, the network deviceestablishes (606) a first private network data tunnel from a firstuplink of the network device to the second network device, andestablishes (608) a second private network data tunnel from a seconduplink of the network device to the second network device.

Method 600 includes establishing (610) a third private network datatunnel from a first uplink of the first multi-uplink network device tothe second network device. The method 600 includes establishing (612) afourth private network data tunnel from a second uplink of the firstmulti-uplink network device to the second network device. In someimplementations, policy reasons prevent the establishment of one or moreprivate network data tunnels between the first multi-uplink networkdevice and the second network device. For example, a multi-uplinknetwork device is configured to turn off its MPLS uplink on weekends forIT maintenance.

FIG. 7 is a flowchart representation of a method 700 of retrievingcontact point information for multi-uplink network devices, performed ata contact point network entity in accordance with some implementations.For the sake of additional clarity and detail, the method 700 isdescribed with reference to FIG. 1 , FIG. 2 , FIG. 4A and FIG. 4B. Insome implementations, method 700 is performed at a network entity orserver, such as contact point network entity 160, in FIG. 1 . In someimplementations, method 700 is performed at a single computing machine,or across several computing machines (e.g., a group of servers). In someimplementations, method 700 is performed by one or more computingmachines associated with devices in communication with each otherthrough a private network, such as a VPN.

Method 700 includes receiving (702) an uplink-specific registry requestmessage from a first uplink of a multi-uplink network device. Forexample, FIG. 2 shows contact point network entity 160 obtainingregistry request message 163 in association with uplink 1 173 of DeviceB 154. In this example, registry request message 163 is eithertransmitted by Device B 154 (e.g., “pushed”), or retrieved by contactpoint network entity 160 (e.g., “pulled”). The contact point networkentity obtains (704) peer contact point information corresponding to oneor more peer device uplinks of one or more respective peer devices ofthe multi-uplink network device, from a contact point registry. In someimplementations, this peer contact point information is obtained inresponse to receiving the registry request message. For example, contactpoint network entity 160 receives registry request message 163 fromDevice B 154, and subsequently obtains contact point information for thevarious uplinks of Device B's 154 peer devices from contact pointregistry 161.

In some implementations, obtaining the peer contact point informationincludes detecting which network device generated the received registryrequest message and which respective uplink is associated with theregistry request message. In some implementations, this also includesretrieving a list of that network device's peers and/or a list of peerdevice uplinks with which the respective uplink is configured toestablish data tunnels. For example, contact point network entity 160determines that message 163 came from Device B 154 in association withuplink 1 173. In this example, contact point network entity 160 alsodetermines that Device A and Device C are peer devices to Device B andthat uplink 1 173 is configured to establish data tunnels with uplink 0of Device A and uplink 0 and uplink 1 of Device C. In someimplementations, obtaining the peer contact point information includesreading the content of the received registry request message todetermine the peer devices of the network device that generated theregistry request message. For example, contact point network entity 160reads a registry request message generated by Device B 154 to retrieveDevice A and Device C's contact point information.

Method 700 continues with generating (706) a response message includingthe obtained peer contact point information. In some implementations,generating the response message includes writing additional informationsuch as the status of peer devices (e.g., offline, online), the contactpoint information on record for the network device that sent the firstregistry request message, timing information, and/or changes in networktopology (e.g., a peer device going from a hub to a spoke). In someimplementations, method 600 continues with obtaining a second registryrequest message, optionally from a second network device.

FIG. 8 is a flowchart representation of a method 800 of retrievingcontact point information for multi-uplink network devices, performed ata contact point network entity in accordance with some implementations.In some implementations, method 800 is an extension or a more detailedprocess for performing some or all of the activities of method 700described earlier. As such, for the sake of efficiency, reference ismade, when appropriate, to corresponding activities in method 700. Forthe sake of additional clarity and detail, the method 800 is describedwith reference to FIG. 1 , FIG. 2 and FIGS. 4A and 4B. In someimplementations, method 800 is performed at a network entity or server,such as contact point network entity 160, in FIG. 1 . In someimplementations, method 800 is performed at a single computing machine,or across several computing machines (e.g., a group of servers). In someimplementations, method 800 is performed by one or more computingmachines associated with devices in communication with each otherthrough a private network, such as a VPN.

Method 800 includes receiving (802) a registry request message from afirst uplink of a network device, as described above with respect tomethod 700, and determining (804) a peer device identifier identifying apeer device of the network device and one or more peer uplinkidentifiers identifying respective uplinks of the peer device, from theregistry request message. In some implementations, the network deviceinitially obtains the peer device identifiers (e.g., examples shown incolumn 452, FIG. 4B) and peer uplink identifiers (e.g., examples shownin column 454, FIG. 4B) through the receipt of configuration information(e.g., from the cloud hosted management system 110, FIG. 1 ). The method800 includes obtaining (806) peer contact point informationcorresponding to one or more peer device uplinks of one or morerespective peer devices of the network device, as described earlier withrespect to method 700.

The contact point network entity determines (808) contact pointinformation associated with the first uplink of the network device, fromthe registry request message. For example, as described above withrespect to FIG. 2 , in some implementations, a registry request messageincludes two or more portions, where each respective portion of theregistry request message has a different read and/or write privilege. Inthis example, the private contact point information of the first uplinkof the network device is written to one portion of the registry requestmessage and the public contact point information is written to anotherportion. In some implementations, determining the contact pointinformation of the first uplink of the network device includes readingthe first registry request message, identifying a device identifiercorresponding to the first network device, identifying an uplinkidentifier corresponding to the first uplink and correlating contactpoint information in the first registry message associated with thedevice identifier for the network device and uplink identifier for thefirst uplink.

Method 800 includes deciding (810) whether or not the determined contactpoint information associated with the first uplink of the network device(i.e., from the registry request message) is different from contactpoint information corresponding to the first uplink of the networkdevice, stored in the contact point registry of the contact pointnetwork entity. In some implementations, the contact point registry doesnot contain any contact point information corresponding to the firstuplink of the network device, and as such, the determined contact pointinformation is considered to be different. In accordance with adetermination that the contact point information associated with thefirst uplink of the network device in the registry request message isnot different, the contact point network entity does not update (812)the contact point registry. In accordance with a determination that thecontact point information associated with the first uplink of thenetwork device in the registry request message is different, the contactpoint network entity updates (814) the contact point registry.

As described earlier with respect to method 700, the contact pointnetwork entity generates (816) a response message including the peercontact point information for the peer device uplinks of the peerdevices of the first network device. Method 800 also includes conveying(818) the response message to the network device. As described in detailearlier, in some implementations this includes either transmission ofthe response message by the contact point network entity, or retrievalby the network device.

In some implementations, method 800 additionally includes obtaining asecond registry request message from a second network device, in asimilar manner to obtaining the registry request message from thenetwork device. In some implementations, the second registry requestmessage is obtained earlier or at the same time as the above describedregistry request message. In some embodiments, the contact point networkentity obtains peer contact point information corresponding to one ormore peer device uplinks of peer devices of the second device, andgenerates a second response message including the peer contact pointinformation requested by the second device and conveys the secondresponse message to the second network device.

FIG. 9 is a block diagram of an example network device 900 of anetworking environment in accordance with some implementations. Whilecertain specific features are illustrated, those skilled in the art willappreciate from the present disclosure that various other features havenot been illustrated for the sake of brevity, and so as not to obscuremore pertinent aspects of the implementations disclosed herein. To thatend, as a non-limiting example, in some implementations the networkdevice 900 includes one or more processing units (CPU's) 902, a networkinterface 904, a programming interface 906, one or more I/O ports 908, amemory 912, and one or more communication buses 910 for interconnectingthese and various other components.

In some implementations, the communication buses 910 include circuitrythat interconnects and controls communications between systemcomponents. The memory 912 includes high-speed random access memory,such as DRAM, SRAM, DDR RAM or other random access solid state memorydevices; and may include non-volatile memory, such as one or moremagnetic disk storage devices, optical disk storage devices, flashmemory devices, or other non-volatile solid state storage devices. Thememory 912 optionally includes one or more storage devices remotelylocated from the CPU(s) 902. The memory 912 comprises a non-transitorycomputer readable storage medium. In some implementations, the memory912 or the non-transitory computer readable storage medium of the memory912 stores the following programs, modules and data structures, or asubset thereof including an optional operating system 914, a networkaccess module 916, a data tunnel establishment module 918, an uplinkconnection determination module 920, a peer contact point informationmanagement module 922 and local peer contact point table 924.

The operating system 914 includes procedures for handling various basicsystem services and for performing hardware dependent tasks. In someimplementations, network access module 916 is configured to allow thenetwork device 900 to transmit and receive communications (e.g., totransmit registry request messages and/or receive response messages). Tothat end, in various implementations, the network access module 916includes instructions and/or logic 917 a, heuristics and metadata 917 b.

In some implementations, data tunnel establishment module 918 isconfigured to establish private network tunnels (e.g., VPN data tunnels)between single or multi-uplink network devices. In some implementationsthis includes being configured to follow any tunnel-establishmentpolicies. The data tunnel establishment module 918 is also configured,in some implementations, to generate one or more packets to send to apeer network device during the process of establishing a data tunnel. Tothat end, in various implementations, the data tunnel establishmentmodule 918 includes instructions and/or logic 919 a, heuristics andmetadata 919 b.

In some implementations, uplink connection determination module 920 isconfigured to determine a connection type associated with a peer deviceuplink. For example, uplink connection determination module 920retrieves uplink connection type information from local peer contactpoint table 924. To that end, in various implementations, the uplinkconnection determination module 920 includes instructions and/or logic921 a, heuristics and metadata 921 b.

In some implementations, peer contact point information managementmodule 922 is configured to perform various management operations onlocal peer contact point table 924, and to obtain peer contact pointinformation. For example, peer contact point information managementmodule 922 stores, updates, retrieves and backs up information in localpeer contact point table 924. In some implementations this includesbeing configured to obtain contact point information used by the datatunnel establishment module 918 to connect with uplinks of peer devices.To that end, in various implementations, the peer contact pointinformation management module 922 includes instructions and/or logic 923a, heuristics and metadata 923 b.

In some implementations, local peer contact point table 924 storescontact point information for one or more peer network devices ofnetwork device 900, such as network devices with a direct communicationpath or data tunnel to network device 900. In some implementations,local peer contact point table 924 also stores the contact pointinformation corresponding to one or more uplinks of network device 900.In some implementations, local peer contact point table 924 storesadditional information pertaining to network device 900 and/or one ormore of its peer devices, such as online status, hub/spoke/mesh topologyconfiguration and corresponding LAN information.

FIG. 10 is a block diagram of an example contact point network entity1000 of a networking environment in accordance with someimplementations. While certain specific features are illustrated, thoseskilled in the art will appreciate from the present disclosure thatvarious other features have not been illustrated for the sake ofbrevity, and so as not to obscure more pertinent aspects of theimplementations disclosed herein. To that end, as a non-limitingexample, in some implementations the contact point network entity 1000includes one or more processing units (CPU's) 1002, a network interface1004, a programming interface 1006, one or more I/O ports 1008, a memory1012, and one or more communication buses 1010 for interconnecting theseand various other components.

In some implementations, the communication buses 1010 include circuitrythat interconnects and controls communications between systemcomponents. The memory 1012 includes high-speed random access memory,such as DRAM, SRAM, DDR RAM or other random access solid state memorydevices; and may include non-volatile memory, such as one or moremagnetic disk storage devices, optical disk storage devices, flashmemory devices, or other non-volatile solid state storage devices. Thememory 1012 optionally includes one or more storage devices remotelylocated from the CPU(s) 1002. The memory 1012 comprises a non-transitorycomputer readable storage medium. In some implementations, the memory1012 or the non-transitory computer readable storage medium of thememory 1012 stores the following programs, modules and data structures,or a subset thereof including an optional operating system 1014, anetwork access module 1016, an uplink-specific registry requestinterpretation module 1018, an uplink-specific response messagegeneration module 1020, a contact point information management module1022 and a contact point registry 1024.

The operating system 1014 includes procedures for handling various basicsystem services and for performing hardware dependent tasks. In someimplementations, network access module 1016 is configured to allow thecontact point network entity 1000 to transmit and receive communications(e.g., to receive uplink-specific registry request messages and/ortransmit uplink-specific response messages). To that end, in variousimplementations, the network access module 1016 includes instructionsand/or logic 1017 a, heuristics and metadata 1017 b.

In some implementations, uplink-specific registry request interpretationmodule 1018 is configured to interpret a received uplink-specificregistry request message from a network device, and to determine therelevant information from the registry request message. For example,uplink-specific registry request interpretation module 1018 reads areceived uplink-specific registry request message, identifies one ormore peer device identifiers and/or one or more peer uplink identifiers,and any requests for contact point information corresponding to the oneor more peer device identifiers and/or peer uplink identifiers. Inanother example, uplink-specific registry request interpretation module1018 reads a received uplink-specific registry request message anddetermines uplink-specific contact point information corresponding tothe uplink of a network device associated with the received registryrequest message (e.g., an uplink identifier, public IP address, andprivate IP address). To that end, in various implementations, theuplink-specific registry request interpretation module 1018 includesinstructions and/or logic 1019 a, heuristics and metadata 1019 b.

In some implementations, uplink-specific response message generationmodule 1020 is configured to generate an uplink-specific responsemessage. In some implementations this includes configuring theuplink-specific response message generation module 1020 to retrieve fromcontact point registry 1024, contact point information of the identifiedpeer devices and their respective uplinks (e.g., from an uplink-specificregistry request message) and writing the information to theuplink-specific response message. To that end, in variousimplementations, the response message generation module 1020 includesinstructions and/or logic 1021 a, heuristics and metadata 1021 b.

In some implementations, contact point information management module1022 is configured to perform various management operations on contactpoint registry 1024. For example, contact point information managementmodule 1022 stores, updates, retrieves and backs up information incontact point registry 1024. To that end, in various implementations,the contact point information management module 1020 includesinstructions and/or logic 1023 a, heuristics and metadata 1023 b.

While various aspects of implementations within the scope of theappended claims are described above, those of ordinary skill in the artwill appreciate from the present disclosure that in some embodiments,the various features of implementations described above are embodied ina wide variety of forms and that any specific structure and/or functiondescribed above is merely illustrative. Based on the present disclosureone skilled in the art will appreciate that in some embodiments, anaspect described herein is implemented independently of any otheraspects and that two or more of these aspects may be combined in variousways. For example, an apparatus may be implemented and/or a method maybe practiced using any number of the aspects set forth herein. Inaddition, such an apparatus may be implemented and/or such a method maybe practiced using other structure and/or functionality in addition toor other than one or more of the aspects set forth herein.

It will also be understood that, although the terms “first,” “second,”etc. may be used herein to describe various elements, those of ordinaryskill in the art will appreciate from the present disclosure that theseelements will not be limited by these terms. These terms are only usedto distinguish one element from another. For example, a first contactcould be termed a second contact, and, similarly, a second contact couldbe termed a first contact, which changing the meaning of thedescription, so long as all occurrences of the “first contact” arerenamed consistently and all occurrences of the second contact arerenamed consistently. The first contact and the second contact are bothcontacts, but they are not the same contact.

The terminology used herein is for the purpose of describing particularembodiments only and is not intended to be limiting of the claims. Asused in the description of the embodiments and the appended claims, thesingular forms “a”, “an” and “the” are intended to include the pluralforms as well, unless the context clearly indicates otherwise. It willalso be understood that the term “and/or” as used herein refers to andencompasses any and all possible combinations of one or more of theassociated listed items. It will be further understood that the terms“comprises” and/or “comprising,” when used in this specification,specify the presence of stated features, integers, steps, operations,elements, and/or components, but do not preclude the presence oraddition of one or more other features, integers, steps, operations,elements, components, and/or groups thereof.

As used herein, the term “if” may be construed to mean “when” or “upon”or “in response to determining” or “in accordance with a determination”or “in response to detecting,” that a stated condition precedent istrue, depending on the context. Similarly, the phrase “if it isdetermined [that a stated condition precedent is true]” or “if [a statedcondition precedent is true]” or “when [a stated condition precedent istrue]” may be construed to mean “upon determining” or “in response todetermining” or “in accordance with a determination” or “upon detecting”or “in response to detecting” that the stated condition precedent istrue, depending on the context.

What is claimed is:
 1. A method, comprising: at a first network devicecorresponding to a first network site, including a memory, anon-transitory computer readable storage medium, one or more processorsand two or more communication ports: communicating with one or moreremote hosts to obtain, at the first network device, contact pointinformation for a second network site, the second network sitecomprising one or more other network devices associated with the firstnetwork device as peer devices in a private network, wherein the contactpoint information for the second network site includes one or more peeruplink identifiers, each respective peer uplink identifier correspondingto a respective peer device uplink of a corresponding one of the one ormore other network devices; establishing a first private network datatunnel from a first uplink of the first network device to the secondnetwork site, based on the contact point information including a firstuplink identifier associated with a first peer device uplink, the firstuplink of the first network device is associated with a first set ofsource and destination ports connected to one or more first networks;establishing a second private network data tunnel from a second uplinkof the first network device to the second network site, based on thecontact point information including a second uplink identifierassociated with a second peer device uplink, the second uplink of thefirst network device is associated with a second set of source anddestination ports connected to one or more second networks, wherein thefirst and second private network data tunnels are concurrently activefor sending data, and wherein the first private network data tunnel isassociated with a first link type and the second private network datatunnel is associated with a second link type, wherein the first linktype is at least one of a public network connection, an Internet link,or an internet service provider connection, wherein the second link typeis at least one of a Multiprotocol Label Switching (MPLS) link or awireless link; and selectively routing data from the first networkdevice to the second network site across the first private network datatunnel and the second private network data tunnel.
 2. The method ofclaim 1, wherein the contact point information provided to the firstnetwork device depends on a role associated with the first networkdevice in a network topology including the first and second networksites.
 3. The method of claim 2, wherein the role is a spoke device. 4.The method of claim 3, wherein the one or more other network devices ofthe second network site are hub devices.
 5. The method of claim 1,wherein selectively routing the data comprises: routing a first portionof the data that satisfies a selection criterion via the first privatenetwork data tunnel; and routing a second portion of the data that doesnot satisfy the selection criterion via the second private network datatunnel based on a routing criterion.
 6. The method of claim 1, whereinselectively routing the data comprises: selectively routing the datafrom the first network device to the second network site across thefirst private network data tunnel and the second private network datatunnel to isolate sensitive data on the first private network datatunnel.
 7. The method of claim 1, wherein selectively routing the datais based on one or more bandwidth parameters corresponding to highpriority network traffic.
 8. The method of claim 1, wherein selectivelyrouting the data is based on a prioritization of network traffic.
 9. Afirst network device, comprising: a memory, one or more processors andtwo or more communication ports; the memory coupled to the one or moreprocessors, the memory storing instructions which when executed by theone or more processors causes the first network device to: communicatewith one or more remote hosts to obtain contact point information for asecond network site, the second network site comprising one or moreother network devices associated with the first network device as peerdevices in a private network, wherein the contact point information forthe second network site includes one or more peer uplink identifiers,each respective peer uplink identifier corresponding to a respectivepeer device uplink of a corresponding one of the one or more othernetwork devices; establish a first private network data tunnel from afirst uplink of the first network device to the second network site,based on the contact point information including a first uplinkidentifier associated with a first peer device uplink, the first uplinkof the first network device being associated with a first set of sourceand destination ports connected to one or more first networks; establisha second private network data tunnel from a second uplink of the firstnetwork device to the second network site, based on the contact pointinformation including a second uplink identifier associated with thesecond peer device uplink, the second uplink of the first network devicebeing associated with a second set of source and destination portsconnected to one or more second networks, wherein the first and secondprivate network data tunnels are concurrently active for sending data,wherein the first private network data tunnel is associated with a firstlink type and the second private network data tunnel is associated witha second link type, wherein the first link type is at least one of apublic network connection, an Internet link, or an internet serviceprovider connection, wherein the second link type is at least one of aMultiprotocol Label Switching (MPLS) link or a wireless link; andselectively route data from the first network device to the secondnetwork site across the first private network data tunnel and the secondprivate network data tunnel.
 10. The first network device of claim 9,wherein the contact point information provided to the first networkdevice depends on a role associated with the first network device in anetwork topology including the first and second network sites.
 11. Thefirst network device of claim 10, wherein the role is a spoke device.12. The first network device of claim 11, wherein the one or more othernetwork devices of the second network site are hub devices.
 13. Thefirst network device of claim 9, wherein selectively routing the dataincludes: routing a first portion of the data that satisfies a selectioncriterion via the first private network data tunnel; and routing asecond portion of the data that does not satisfy the selection criterionvia the second private network data tunnel based on a routing criterion.14. The first network device of claim 9, wherein selectively routing thedata comprises: selectively routing the data from the first networkdevice to the second network site across the first private network datatunnel and the second private network data tunnel to isolate sensitivedata on the first private network data tunnel.
 15. The first networkdevice of claim 9, wherein selectively routing the data is based on oneor more bandwidth parameters corresponding to high priority networktraffic.
 16. The first network device of claim 9, wherein selectivelyrouting the data is based on a prioritization of network traffic.
 17. Amethod comprising at a network management device associated with aprivate network, the network management device including a memory, anon-transitory computer readable storage medium, one or more processorsand two or more communication ports: maintaining contact pointinformation for a plurality of network devices of the private network,wherein the contact point information for at least a first networkdevice of the plurality of network devices comprises a first uplinkidentifier corresponding to a first device uplink of the first networkdevice and a second uplink identifier corresponding to a second deviceuplink of the first network device; maintaining private network topologyinformation comprising associations between the plurality of networkdevices as peer devices; communicating with a second network device ofthe plurality of network devices to provide configuration informationfor the second network device, wherein the second network devicecomprises a third device uplink and a fourth device uplink, wherein thethird device uplink of the second network device is associated with afirst set of source and destination ports connected to one or more firstnetworks via a first link type, and wherein the fourth device uplink ofthe second network device is associated with a second set of source anddestination ports connected to one or more second networks via a secondlink type, wherein the first link type is at least one of a publicnetwork connection, an Internet link, or an internet service providerconnection, wherein the second link type is at least one of aMultiprotocol Label Switching (MPLS) link or a wireless link; andproviding the configuration information to the second network device,wherein the configuration information comprises the contact pointinformation for corresponding ones of the plurality of network devicesthat are associated with the second network device based on the privatenetwork topology information and the configuration informationcomprising the contact point information of at least the first networkdevice.
 18. The method of claim 17, further comprising monitoring astatus of the plurality of network devices.
 19. The method of claim 18,wherein monitoring the status of the plurality of network devicescomprises receiving one or more messages from each of the plurality ofnetwork devices on a periodic basis.
 20. The method of claim 19, whereinthe one or more messages, for at least one of the plurality of networkdevices, are transmitted on each available uplink of the least one ofthe plurality of network devices.
 21. The method of claim 19, furthercomprising updating one or more of the plurality of network devices withstatus information corresponding to peers of the plurality of networkdevices.
 22. The method of claim 17, wherein the network managementdevice is a cloud-hosted system.
 23. The method of claim 17, wherein thenetwork management device is further operative to manage theconfiguration of the plurality of network devices.
 24. A networkmanagement device associated with a private network, the networkmanagement device comprising a memory, one or more processors and one ormore communication ports; the memory coupled to the one or moreprocessors, the memory storing instructions which when executed by theone or more processors causes the network management device to: maintaincontact point information for a plurality of network devices of aprivate network, wherein the contact point information for at least afirst network device of the plurality of network devices comprises afirst uplink identifier corresponding to a first device uplink of thefirst network device and a second uplink identifier corresponding to asecond device uplink of the first network device; maintain privatenetwork topology information comprising associations between theplurality of network devices as peer devices; communicate with a secondnetwork device of the plurality of network devices to provideconfiguration information for the second network device, wherein thesecond network device comprises a third device uplink and a fourthdevice uplink, wherein the third device uplink of the second networkdevice is associated with a first set of source and destination portsconnected to one or more first networks fir a first link type, andwherein the fourth device uplink of the second network device isassociated with a second set of source and destination ports connectedto one or more second networks via a second link type, wherein the firstlink type is at least one of a public network connection, an Internetlink, or an internet service provider connection, wherein the secondlink type is at least one of a Multiprotocol Label Switching (MPLS) linkor a wireless link; and provide the configuration information to thesecond network device, wherein the configuration information comprisesthe contact point information for corresponding ones of the plurality ofnetwork devices that are associated with the second network device basedon the private network topology information and the configurationinformation comprising the contact point information of at least thefirst network device.
 25. The network management device of claim 24,wherein the instructions which when executed by the one or moreprocessors causes the network management device to monitor status of theplurality of network devices.
 26. The network management device of claim25, wherein monitoring the status of the plurality of network devicescomprises receiving one or more messages from each of the plurality ofnetwork devices on a periodic basis.
 27. The network management deviceof claim 26, wherein the one or more messages, for at least one of theplurality of network devices, are transmitted on each available uplinkof the least one of the plurality of network devices.
 28. The networkmanagement device of claim 26, wherein the instructions which whenexecuted by the one or more processors causes the network managementdevice to update one or more of the plurality of network devices withstatus information corresponding to peers of the plurality of networkdevices.
 29. The network management device of claim 24, wherein thenetwork management device is a cloud-hosted system.
 30. The networkmanagement device of claim 29, wherein the instructions which whenexecuted by the one or more processors causes the network managementdevice to manage the configuration of the plurality of network devices.